Terms of Service | Arhivix

Terms of Service

Last updated:: May 7, 2026

Notice: By accepting these Terms, you also accept Annex A: Data Processing Agreement, which forms an integral part of this contract.

General Information

Arhivix is a service owned by NOTIX DOO, Dušana Matića 26, 11000 Belgrade, Registration No: 21993310, Tax ID: 114240716.

Service Description

Arhivix enables electronic archiving, document management, invoicing, and fiscalization. Usage is without contractual obligation.

Usage Rules

  • The user is responsible for the accuracy of entered data.
  • Misuse of the system and unauthorized access are prohibited.
  • Access to features depends on user privileges.

Availability

The system is available 24/7 except during scheduled maintenance.

Data Protection

Data is processed in accordance with the Law on Personal Data Protection and the GDPR.

Support

Support is available on business days from 9 AM to 5 PM via email at support@arhivix.com.

Changes to the Terms

NOTIX DOO reserves the right to modify these terms. All changes take effect immediately upon publication.

Annex A: Data Processing Agreement

Effective Date: 1 January 2025

This Data Processing Agreement (hereinafter: Agreement or DPA) is concluded between:

  • The Customer of the Arhivix service (hereinafter: Controller), as the controller of personal data, and
  • NOTIX DOO Beograd, Dušana Matića 26, 11000 Belgrade, Reg. No: 21993310, Tax ID: 114240716, represented by managing director Dragan Gavrić (hereinafter: Notix or Processor), as the processor of personal data.

This Agreement is concluded for the purpose of compliance with Article 28 of the General Data Protection Regulation (GDPR) and Article 45 of the Personal Data Protection Act of the Republic of Serbia, and forms an integral part of the Arhivix Terms of Service.

Article 1: Definitions

Terms used in this Agreement have the following meaning:

  • Controller: The Customer using the Arhivix platform who determines the purposes and means of processing personal data entered into the platform.
  • Processor: Notix DOO Beograd, processing personal data on behalf of the Controller.
  • Personal Data: any information relating to an identified or identifiable natural person, in accordance with Article 4 GDPR.
  • Processing: any operation performed on personal data, in accordance with Article 4 GDPR.
  • Data Subject: the natural person to whom the personal data relates.
  • Sub-processor: a legal or natural person engaged by the Processor to perform certain processing activities on behalf of the Controller.
  • Personal Data Breach: a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.

Article 2: Subject matter, nature and purpose of processing

Subject matter: storage and processing of documents and accompanying personal data on behalf of the Controller.

Nature of processing: storage, indexing, classification, optical character recognition (OCR), search, providing access to authorised users, and secure deletion.

Purpose: provision of the document management (DMS) service through the Arhivix platform.

Duration: for the entire term of the Terms of Service, extended by the retention period defined in the Privacy Policy and this Agreement.

Article 3: Types of data and categories of data subjects

Types of personal data processed:

  • Identification data (name, surname, national ID if contained in documents)
  • Contact data (address, email, phone)
  • Financial data contained in documents (invoices, contracts, statements)
  • Content of documents that the Controller uploads to the platform
  • Technical data about user account and access

Categories of data subjects:

  • Customers of the Controller
  • Employees of the Controller
  • Business partners and suppliers of the Controller

Article 4: Obligations of the Processor

In accordance with Article 28(3) GDPR, Notix undertakes to:

  1. Process personal data exclusively on the basis of written and documented instructions from the Controller, including instructions on the transfer of personal data to third countries, except where processing is required by law.
  2. Ensure that all persons authorised to process personal data are bound by a contractual obligation of confidentiality or are under a statutory obligation of secrecy.
  3. Take all appropriate technical and organisational security measures prescribed by Article 32 GDPR, detailed in Article 6 of this Agreement.
  4. Engage sub-processors exclusively with the prior general authorisation of the Controller, with the obligation to notify the Controller 30 days in advance of intended changes to the list of sub-processors and the Controller has the right to lodge a reasoned objection.
  5. Provide appropriate assistance to the Controller through the technical mechanisms of the platform for fulfilling the obligation to respond to data subjects requests for the exercise of rights (right of access, rectification, erasure, restriction of processing, data portability, and objection).
  6. Provide assistance to the Controller in fulfilling obligations under Articles 32 to 36 GDPR, including obligations of processing security, breach notification, data protection impact assessments (DPIA), and prior consultations with the supervisory authority.
  7. Upon termination of the Terms of Service, enable the Controller to export all personal data within a 30-day period, then perform deletion of all personal data within the next 90 days, including copies from backup systems. The extended period for backup deletion is conditioned by technical backup rotation cycles.
  8. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this Agreement and Article 28 GDPR.
  9. Not use the Controller's personal data for training, fine-tuning, or evaluation of artificial intelligence (AI) models, including large language models (LLM), nor forward such data to third parties for those purposes. The use of AI models for processing the Controller's data within the agreed functionalities of the platform (for example, optical character recognition, automatic document classification, search) is permitted exclusively for the purpose of providing the service to that Controller, whereby the data itself does not enter the training dataset for models used for other customers.

Article 5: Sub-processors

The Controller grants Notix a general authorisation to engage the following sub-processors for the provision of the Arhivix service:

Sub-processor Purpose of processing Location of processing
Amazon Web Services EMEA SARL Data storage and compute infrastructure eu-central-1 (Frankfurt, EU)
Amazon SES Sending of transactional email messages EU region
Stripe Payments Europe Ltd. Subscription payment processing (where applicable) Republic of Ireland, EU

An up-to-date and complete list of sub-processors is available on the page Sub-processors List. Notix undertakes to notify the Controller of every addition or replacement of a sub-processor at least 30 days in advance via the email address registered in the user account, as well as by publication on the said page.

Article 6: Security of processing

Notix applies the following technical and organisational measures for the protection of personal data:

  • Encryption at rest: AES-256 encryption of all data in storage (AWS S3 SSE)
  • Encryption in transit: TLS 1.2 or newer for all communications between the client and the platform
  • Granular access control (RBAC): access based on user roles and privileges
  • Centralised audit log: record of all user actions on data
  • Regular backup: with periodic testing of the restore procedure
  • Geographic redundancy: data replication within the EU region
  • Security incident response procedure: documented procedure for detection, isolation, and reporting of breaches

Article 7: Personal data breach notification

Notix undertakes to notify the Controller of any personal data breach without undue delay, and no later than 72 hours upon becoming aware of the breach.

The notification is sent to the email address registered in the Controller's user account, with a copy to legal@notixit.com, and contains at least:

  • Description of the nature of the personal data breach
  • Categories and approximate number of data subjects concerned
  • Categories and approximate number of personal data records concerned by the breach
  • Likely consequences of the breach
  • Measures taken or to be taken to address the breach and to mitigate any adverse effects
  • Contact details of the responsible person for further information

Article 8: Deletion or return of data upon termination

Upon termination of the Terms of Service, for any reason whatsoever:

  1. Notix enables the Controller to export all data in a standard machine-readable format within a period of 30 days from the date of termination.
  2. Upon expiry of the export period, Notix performs deletion of all active personal data within 30 days.
  3. Deletion from backup copies is performed within an additional 60 days, in accordance with the standard backup rotation cycle, totalling a maximum period of 120 days from termination of the agreement to complete removal of data from all systems.
  4. Upon written request from the Controller, Notix provides written confirmation of the executed deletion.

Article 9: Right to audit

The Controller has the right, no more than once per year, to request from Notix evidence of compliance with the obligations under this Agreement. Upon such request, Notix will provide:

  • Security and compliance certificates that it holds
  • Reports of independent auditors (where available)
  • Written responses to specific questions from the Controller within a reasonable time

An on-site audit is possible no more than once per year, with the obligation of prior written notice of at least 30 days, at the Controller's expense, exclusively by an independent auditor who signs a non-disclosure agreement (NDA), and at a time that does not interfere with the regular business of Notix.

Article 10: Limitation of liability

The maximum aggregate liability of Notix under this Agreement, regardless of the legal basis of the claim, is limited to the sum of fees paid by the Controller to Notix in the 12 months preceding the event giving rise to liability.

For enterprise customers and obligors of anti-money laundering (AML) regulations, the parties may agree, in a separate written agreement (Master Service Agreement), to a different liability regime that shall in such case prevail over this Agreement.

Notix shall not be liable for:

  • Indirect, consequential, or incidental damages
  • Loss of profits, loss of business, loss of revenue, loss of opportunity
  • Damage to reputation or goodwill
  • Loss of data resulting from the actions or omissions of the Controller or data subjects
  • Damage caused by force majeure, including natural disasters, armed conflicts, epidemics, public infrastructure interruptions, and acts of state authorities

Controller's warranties: The Controller warrants that it has a valid legal basis for the collection, entry, and processing of all personal data uploaded to the Arhivix platform. All liability for unlawfully collected or entered personal data rests solely with the Controller, and Notix has no obligation to verify the legal basis of processing.

Article 11: Duration and termination

This Agreement enters into force simultaneously with the acceptance of the Terms of Service and lasts as long as the main contract for the use of the Arhivix platform.

Upon termination, the provisions of Article 8 (Deletion or return of data), Article 9 (Audit) regarding processing performed during the term, Article 10 (Limitation of liability), and Article 12 (Final provisions) remain in force.

Article 12: Final provisions

Governing law: This Agreement is governed by the laws of the Republic of Serbia, primarily the Personal Data Protection Act, as well as the General Data Protection Regulation (GDPR) to the extent applicable.

Jurisdiction: Any disputes arising out of or in connection with this Agreement shall be subject to the exclusive jurisdiction of the competent court in Belgrade.

Severability: If any provision of this Agreement is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect, and the invalid provision shall be replaced by a provision that most closely matches its meaning and economic purpose.

Amendments: Amendments to this Agreement are made in writing, with notice to the Controller at least 30 days in advance, via the email address registered in the user account. Continued use of the platform after the amendments enter into force shall constitute acceptance of the amendments.

Contact for questions regarding this Agreement: legal@notixit.com